Avec un peu de retard, ce hotfix est disponible pour Microsoft Identity Manager 2016.

Cette mise à jour remplace la version 4.3.2064.0.

Téléchargement : https://support.microsoft.com/en-us/kb/3134725

Le correctif

Issues that are fixed or features that are added in this update

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

Privileged Access Management (PAM)

Issue 1

Some group memberships may not be removed by the MIM component service after the PAM request expiration period. This hotfix addresses removal of expired group memberships.

Note If you use PAM, this is an important update and should be installed in all environments.

Issue 2

A PAM user has their NetBIOS domain name saved in the Service Database and the PAM user can log on to the Portal.

Issue 3

MIM Monitor errors occur when you use the NetBIOS name for source groups.

Issue 4

The New-PAMGroup and New-PAMUser cmdlets do not accept the fully qualified domain name (FQDN) of the domain.

MIM add-ins and extensions

Issue 1

The Approval buttons in the Outlook Add-in disappear in some UI interactions.

Issue 2

You receive an "Installation prerequisites not met" error message if you try to install the MIM Add-in for Outlook on a computer that has Outlook 2016 installed.

MIM Certificate Management

Issue 1

The Profile Template Settings Report displays incorrect information. It shows that PIN Rollover is enabled and that the Admin PIN initial value is set even if this is not true. Also if the Diversify Admin Key setting is enabled, it is not displayed in the Profile Template Settings Report.

Issue 2

The "Support for non-FIM CM certificates requests" plug-in doesn't create profiles for external certificates that were created outside MIM Certificate Management (CM).

Issue 3

This hotfix updates the MIM CM CA module tracing and logging, which differs from CM Server application tracing in that CA modules are installed on the AD CS server.

How to use the CA modules tracing

CA module tracing differs from CM Server application, because CA modules might be installed on a separate computer.

Log location

Events can be viewed in the Microsoft\IdentityManagement\CertificateManagement\Admin log. By default, CA modules also write messages to the system folder %temp% (usually C:\Windows\TEMP). To change the log file location, specify the new path of the file in the registry. Make sure that the directory exists and is writable by the CA.

How to change logs location

1. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration in the registry.
2. Define a new file location in the ClmCATrace registry value.
3. Restart the CA.

Trace switch for ExitModule

Trace switch for PolicyModule

Trace switch for PolicyModule plugins

Note Unless key is defined, default value is Info. After the Trace Switch is changed, restart the CA.

Issue 4

The "Support for non-FIM CM certificates requests" plug-in doesn't create profiles for external certificates that were created outside the MIM CM.

Issue 5

Certificate enrollment fails when the system uses the German locale.

MIM Synchronization Service

Issue 1

An export-only file-based ECMA2 connector could not export deleted objects.

Issue 2

The msDS-UserPasswordExpiryTimeComputed attribute is displayed as an available attribute in the Select Attributes tab of the Active Directory Domain Services (AD DS) management agent. The msDS-UserPasswordExpiryTimeComputed is a computed attribute in AD DS and is not detected by the import operation. As of this update, the attribute is removed from the list of available attributes in the management agent.

Issue 3

Sometimes during the "Import Server Configuration" stage in the MIM synchronization service (MIISClient), the Import Server Configuration dialog box hangs.

Issue 4

Running more than one run profile with a synchronization task at the same time may cause data corruption.

Note A message box is displayed with a 0x8023063D error code.

Issue 5

After an authoritative restore of Active Directory objects, Active Directory Management Agent (AD MA) delta import mistakenly detects them as deleted.

Issue 6

This update adds the ability to override the default Synchronization engine behavior of changing run profile GUID after export and import of the server configuration.

Note This update adds a special registry subkey to turn on the GUIDs "keeping" mode. To enable "keeping" mode, create the following:

Issue 7

This update extends the functionality of the AD MA configuration cmdlets to be able to handle multiple partitions.

Note Set-MIISADMAConfiguration was extended with ‘–Partitions’ with a semicolon (;) separator.

Usage

Issue 8

This update adds a new cmdlet Add-MIISADMARunProfileStep.

Note It adds run profile step "Full import" assigned to partition 'DC=CONTOSO,DC=COM' to the run profile with name 'ADMA_FULLIMPORT' of the management agent AD_MA. If a run profile with this name doesn’t exist, it will be created. The management agent should already exist.

Possible values of the StepType parameter (short form or long one can be used):

• "FI", "FULL IMPORT"
• "FS", "FULL SYNCHRONIZATION"
• "FIFS", "FULL IMPORT AND FULL SYNCHRONIZATION"
• "FIDS", "FULL IMPORT AND DELTA SYNCHRONIZATION"
• "DI", "DELTA IMPORT"
• "DS", "DELTA SYNCHRONIZATION"
• "DIDS", "DELTA IMPORT AND DELTA SYNCHRONIZATION"
• "EXP","EXPORT"

Usage

Issue 9

MmsScrpt.exe crashes because of the binary having an invalid entry point. The most common error displayed is "Access violation."

Issue 10

The Import-MIISServerConfig PowerShell cmdlet does not allow for skipping the Management Agent during configuration import.

MIM Portal

Issue 1

This update enables customizations that have controls shown and hidden based on the state of the email enabling check box.

An additional attribute to RCDC’s configuration data is included in this update. The Now Event element may have a Parameters attribute. For Group RCDC for the OnChangeEmailEnabling event, it should contain a comma-separated (case-sensitive) list of controls to show or hide.

Here is a small sample (part of RCDC) to show how it works:

<my:Control my:Name="EmailEnabling" my:TypeName="UocCheckBox"
 my:Caption="%SYMBOL_EmailEnablingCaption_END%"
 my:Description="%SYMBOL_EmailEnablingDescription_END%"
 my:AutoPostback="true" my:RightsLevel="{Binding Source=rights,
 Path=Email}">
        <my:Properties>
         <my:Property my:Name="Text" my:Value="%SYMBOL_EmailEnablingValue_END%"/>
        </my:Properties>
        <my:Events>

Note If the Parameters attribute is not included, nothing will change versus the previous behavior.

Issue 2

This update adds the ability to fully customize the portal header.

Note Replace the portal header section with custom HTML content (by adding the CustomPortalHeader.html file into the Customizations folder).

Issue 3

All supported languages and cultures are localized correctly as some were reported to be localized incorrectly for some culture-specific localization settings.

Issue 4

The Portal does not verify the content of uploaded image files. However, the Portal can check the content of an image. To enable this verification, User Creation and User Editing RCDC have to be changed by adding the Property option to the UocFileUpload type as in the following example:

MIM Service

Issue 1

During the 4.3.2064.0 hotfix installation, the database upgrade fails if the FIM Service database name is not the default name of FIMService.

Issue 2

Deadlocks may occur during a request evaluation if a complex Set schema is implemented.

Issue 3

The configuration backup tool does not work in MIM.

Issue 4

FIM Management Agent (MA) Export lets you add MIM objects multivalued string attributes.

BHOLD

Issue 1

The applicationdeletealias function is added for the BHOLD web service.

The function name with ARGs may be passed as an argument for the ExecuteXml method.

Notes

• userid and applicationid are mandatory arguments
• alias is an optional argument. Without the alias argument explicitly defined, the function deletes all aliases for an app-user pair.

Issue 2

BHOLD Core shows error in the LogItems table upon removing roles from a parent.

Language Support

Issue 1

The New Serbian culture sr-Latn-RS is available for the following components:

• MIM Service
• MIM Clients
• Certificate management

Joris